CVE-2021-41230: 
NixOS vulnerability analysis and mitigation

Pomerium, an open source identity-aware access proxy, was affected by a vulnerability (CVE-2021-41230) discovered in versions 0.14.0 through 0.15.5. The issue involves changes to OIDC (OpenID Connect) claims of a user after initial login not being reflected in policy evaluation when using allowed_idp_claims as part of policy (GitHub Advisory).

The vulnerability stems from a user refresh functionality that was never getting called, resulting in stale IDP claims in user records. While sessions were being refreshed and those claims were updated, the user records maintained outdated information. This could lead to incorrect authorization decisions when using allowed_idp_claims in policy evaluation (GitHub PR). The vulnerability has been assigned a CVSS v3.1 base score of 5.3 MEDIUM by GitHub, with a vector string of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

When exploited, this vulnerability could result in Pomerium making incorrect authorization decisions if a user's OIDC claims are changed after their initial login. This could potentially lead to users retaining access to resources they should no longer be able to access, or being denied access to resources they should be able to access, based on their updated claims (GitHub Advisory).

The vulnerability has been patched in Pomerium version 0.15.6. For users unable to upgrade immediately, a workaround is available: clear data on the databroker service by either clearing redis or restarting the in-memory databroker to force claims to be updated (GitHub Advisory).